Health Information Privacy Protection: Crisis or Common Sense?

Abstract

Concerns about the protection of personally identifiable information are not unique to the health care industry; however, consumers view their medical records as more "private" than other information, such as financial data, because involuntary disclosure can affect jobs or health insurance status. This paper briefly touches upon new sweeping federal privacy standards mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The article outlines who and what is covered under the new rules, considers how practitioners can approach compliance with common sense, addresses concerns related to risk management, discusses consumer health privacy issues, and notes the difficulty of evaluating these rules and regulations. The article also looks at some unique privacy issues facing telemedicine and telehealth practitioners.

Over the past five years, dramatic technological advances have made the practice of telemedicine and telehealth easier, faster and cheaper.

...the ability to electronically capture, store, transfer and distribute health information to one person or a billion recipients, with the touch of a fingertip on a computer keyboard, raises many troubling privacy security and confidentiality questions.

At the same time, the ability to electronically capture, store, transfer and distribute health information to one person or a billion recipients, with the touch of a fingertip on a computer keyboard, raises many troubling privacy security and confidentiality questions.

The health care industry’s concerns about the privacy, security and confidentiality of patient information are not unique. The financial services industry, including banks and credit cards companies, have been at the forefront of developing protections for personally identifiable financial information. Yet many consumers consider their health information to be more "private" than a bank account statement, which is routinely accessed by mortgage lenders, landlords and other third parties. Patients with chronic health problems or more serious conditions, such as cancer or HIV/AIDS, may be vulnerable to involuntary disclosure that could affect their job status or health insurance coverage.

Yet many consumers consider their health information to be more "private" than a bank account statement...

With advances in gene research, even young, healthy adults may be concerned about the disclosure of genetic information. For example, Terri Seargent, a North Carolina resident, was fired from her job after being diagnosed with a genetic disorder that required expensive treatment (Weiss, 2000). Before being fired, Terri was given a positive review and a raise. She suspected that her employer, who is self-insured, found out about her condition and fired her to avoid the projected expenses. Similar medical privacy stories can be found at the Georgetown University, Institute for Health Care Research and Policy, Health Privacy Project Website: www.healthprivacy.org.

Before discussing privacy, security and confidentiality at any length, a "working" definition of privacy, security and confidentiality will help to understand these concepts. Ware (1993) offers the following definitions:

Privacy is an individual’s claim to control the use and disclosure of personal information. This claim is backed by the societal value representing that claim. Confidentiality is a status accorded to information that indicates it is sensitive for stated reasons and therefore must be protected and access to it controlled. Security are the safeguards (administrative, technical, or physical) in an information system that protect it and its contents against unauthorized disclosure, and limit access to authorized users in accordance with an established policy" (page 43).

Health Insurance Portability and Accountability Act of 1996

Historically, health regulation has fallen primarily under state jurisdiction. Each state governs the licensing of health providers, regulates their practice, and governs the use and disclosure of health information. State laws differ widely in protection, complexity and coverage, and there is typically no one statute governing health data within a state. The Health Privacy Project of the Institute for Health Care Research and Policy at Georgetown University has compiled a comprehensive 50-state survey of health privacy statues. A summary of findings is found at the Health Privacy Project Web site: www.healthprivacy.org/underresources/statereports.

To address the need for a national patient record privacy standard, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is best known for creating a health insurance safety net for individuals moving from one job to another. Lesser known is the Act’s sweeping mandates concerning the standardization of health information.

Under HIPAA’s Administrative Simplification provision, either Congress or (in the absence of congressional action by August, 1999), the Department of Health and Human Services (DHHS) was required to develop a series of national standards for administrative and financial electronic data transactions. These transactions would include areas such as electronic transaction standards for electronic exchange of health information for administrative purposes; a national provider identifier; and an employer identifier and secure electronic signatures. Additionally, the Act mandated either Congress or DHHS to develop regulations to protect the security and privacy of individually identifiable health information transmitted in any format by covered entities.

In the absence of congressional action within the mandated deadline, DHHS was required to publish proposed HIPAA privacy rules in 1999 and final rules by February, 2000. On December 28, 2000, DHHS released the final HIPAA privacy rules in the Federal Register. Initially, the Administration delayed implementation because of an administrative error but later DHHS Secretary Tommy Thompson announced that the rules would take effect on April 14, 2001. Consequently, most covered entities must implement the HIPAA privacy rule provisions by April, 2003. DHHS has since released a DHHS Fact Sheet on HIPAA rules (DHHS, May 2001) as well as recent HIPAA Guidelines with common questions and answers on July 6, 2001 (DHHS, July 2001).

Additionally, covered entities are responsible for the actions of their third party business partners. That is, HIPAA privacy standards apply indirectly to business associates because a covered entity must develop a legal agreement with their business partners to safeguard individual health information obtained from the covered entity. For example, a hospital will need to develop a patient privacy agreement with its billing company or its outside data management company or any third party business associate that receives patient information from the hospital. Moreover, the covered entity must address situations when business associates fail to comply with their privacy obligations. According to DHHS’ July 2001 guidelines, a business associate is:

a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A business associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital (DHHS, Office/Civil Rights, 2001).

Covered entities must inform individuals about how their health information is used and disclosed and ensure them access to their information. Written authorization from patients for the use and disclosure of health information for most purposes is required with the exception of health care treatment, payment, operations, and for certain national priority purposes. The DHHS Fact Sheet (May, 2001) on HIPPA outlines important patient rights as shown below:

Patient education on privacy protections: Providers and health plans will be required to give patients a clear written explanation of how the covered entity may use and disclose their health information.

Ensuring patient access to their medical records: Patients will be able to see, get copies of their records, and request amendments. In addition, a history of non-routine disclosures must be made accessible to patients. (Non-routine disclosures might include the disclosure of a cardiac patient’s mental health records to determine if medication for the treatment of mental health had possible side effects on high blood pressure).

Receiving patient consent before information is released: Health care providers who see patients will be required to obtain patient consent before sharing their information for treatment, payment, and health care operations. In addition,separate patient authorization must be obtained for non-routine disclosures and most non-health care purposes. Patients will have the right to request restrictions on the uses and disclosures of their information.

Providing recourse if privacy protections are violated. People will have the right to file a formal complaint with a covered provider or health plan, or with HHS, about violations of the provisions of this rule or the policies and procedures of the covered entity.

General Compliance

Covered Entities must protect individually identifiable health information against deliberate or inadvertent misuse or disclosure. Consequently, health plans and providers must maintain administrative and physical safeguards to protect the confidentiality of health information as well as protect against unauthorized access. HIPAA final rules explicitly mention the following actions:

Adopt written privacy procedures.

Train employees about security.

Designate a privacy officer.

Develop legal agreements that extend privacy protections to third party business associates.

Obtain patient consent for most disclosures of protected health information.

Provide the minimum amount of information necessary.

The DHHS Office for Civil Rights, which is responsible for implementing the Privacy rules, can impose civil monetary penalties and criminal penalties for certain wrongful disclosures of protected information.

Those that misuse personal health information can be punished. The DHHS Office for Civil Rights, which is responsible for implementing the Privacy rules, can impose civil monetary penalties and criminal penalties for certain wrongful disclosures of protected information. Civil penalties can be imposed up to $25,000 per year and criminal penalties can range from $50,000 and one year in prison to $250,000 and ten years in prison.

Telemedicine and Telehealth Compliance

Telemedicine and Telehealth practitioners may face unique problems as they undertake compliance with HIPAA and other privacy rules. One issue that may greatly affect telemedicine providers is Federal preemption of state law under HIPAA.

HIPAA rules preempt state laws that are in conflict with or provide less stringent privacy protections than Federal regulatory requirements. Those states that have more stringent privacy laws would preempt Federal law. Under these circumstances, telemedicine practitioners could be faced with a patchwork of state privacy standards. For example, a telemedicine specialist in state A teleconsults with telemedicine practitioners in states B, C and D. Which state privacy laws take precedence over others, if all three state laws are more stringent than Federal law? What if they are in conflict? Which state would have legal jurisdiction if a patient decided to sue one of the practitioners? All states have laws governing the use and disclosure of health information with a wide variety of protections. The Georgetown University Health Privacy Project (Pritts, Goldman, Hudson, Berenson, & Hadley, 1999) has assembled a comprehensive summary of these state laws that highlights their complexity and diversity at their website: www.healthprivacy.org.

Given the challenging privacy issues facing its telemedicine grantees, the Office for the Advancement of Telehealth, (OAT), part of the DHHS, Health Resources and Services Administration, has joined with the Office of the Assistant Secretary for Planning and Evaluation, DHHS, to fund the Advanced Technology Institute’s (ATI) study of privacy concerns unique to telemedicine practitioners. According to the ATI's preliminary research, using input from OAT grantees, other unique privacy concerns for telemedicine practitioners may include:

The presence of outsiders or non-clinical persons in teleconsultations, such as non-clinical technicians, camera people and schedulers located on either side of a telemedicine consultation or at the site of a service provider, either physically or via the technology they support.

Clinical Personnel who may not be visible or observable by the patient may also be involved in a teleconsultation.

Patient information routinely stored electronically and/or physically at each site may not be protected by policies or procedures as effectively as information used in on-site encounters.

For telemedicine practitioners, electronic transmission of patient health information in various formats is part of their every day job. For example, store-and-forward applications are quite common. This means that a telemedicine practitioner at a remote rural site can examine a patient and send a video clip or a photographic scan of the patient, along with the patient's medical, record by E-mail via the Internet or dedicated line to a distant consulting practitioner. In a live interactive videoconference session, a patient may sit in the same room as a health presenter, video camera man and technician. The consulting practitioner, who appears on the video monitor, may also have non-medical staff in his or her room. What should be done with the videotape of the consultation? How should Internet transmissions of identifiable information be handled? What types of privacy contracts should be made between the non-health staff and the practitioner? Can E-mail information be de-identified when part of the file includes scanned photos or video? Many of these types of privacy questions are unique to the practice of telemedicine.

Lawyers, HIPAA and Common Sense

The complexity of HIPAA privacy rules may be the latest boon for lawyers, but health care providers can initially develop a common sense approach to privacy protection as their first line of defense. Nurses may already be aware of common workplace practices that could compromise patient privacy. For example, patient information may be easily visible to an outside visitor when a receptionist, nurse or doctor accesses it on a computer screen, located in a busy visitor reception area. At a larger clinic or hospital, it is common practice to list names of patients on the nurses’ station bulletin board. Common practices such as these need to be reexamined with fresh eyes attuned to privacy protection. While common sense may be the first line of defense, a more formal framework of analysis may be necessary over the long term, particularly for larger organizations and for those with unique privacy issues such as telemedicine practitioners.

Risk Management Versus Crisis Management

In January of 2000, OAT organized a one-day privacy, security and confidentiality seminar for its grantees (OAT, 2000). At the seminar, privacy experts discussed basic administrative procedures, physical safeguards, and technical security mechanisms that should underpin HIPAA compliance activities.

Administrative Procedures

Several speakers emphasized risk management as a key component of administrative procedures that would help health providers meet HIPAA requirements. At this OAT Seminar Koss provided an overview of a Risk Assessment Framework and discussed the critical steps for getting ready to comply with HIPAA rules (See Table 1). Koss offered the following definitions:

Risk analysis is a process where by cost-effective security/control measures may be selected by balancing the cost of security/control measures against the losses that would be expected if these measures were not in place.

Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk.

Risk assessment is an assessment based on technical vulnerabilities and sensitivity of the information.

A gap analysis is an analysis that looks at the gap between the organization’s baseline security measures and the outcome of the risk analysis – the possibility and impact of adverse threats.

The impact and likelihood of an adverse event depends on the sensitivity of the health information and the number of people who may have access to that information.

Koss explained that risk can be defined as the impact and likelihood of an adverse event (OAT, 2000). The impact and likelihood of an adverse event depends on the sensitivity of the health information and the number of people who may have access to that information. On one hand, a small medical office with only one computer, no network system and limited information access would most likely rate a low risk assessment if the information stored in the computer and office is not highly sensitive. On the other hand, a large hospital with many networked computers shared by a number of personnel at different nurse workstations might rate a high risk level. A risk assessment in this case would reflect the number of users, the type and level of access, the frequency of use as well as the number of sites where the information can be accessed. Moreover, if the health information at these sites is highly sensitive, such as medical records containing details of HIV/AIDS or cancer, the risk level will be even higher.

Speakers at the OAT (2000) workshop also mentioned physical safeguards that should be coupled with administrative procedures to establish security. A physical safeguard focuses on physical rather than procedural safeguards, such as placing computers with sensitive information away from public areas, and locking rooms or cabinets that store sensitive information.

Other OAT Seminar speakers also recommended technical security mechanisms, ranging from user passwords, to encryption (the transformation of data by the use of cryptography to produce unintelligible data [encrypted data]), to digital signatures as a means to limit access to and protect medical record information. Some common technical security mechanisms include:

Software passwords

Digital signatures, which authenticate the sender and guarantees message integrity

Data encryption

Encryption over public networks

Backup systems

Disaster recovery plan

Consumer Health Privacy and the Internet

HIPAA privacy rules provide important, national standard privacy rules for individual health information; but they also offer an example of how policy can lag behind technology changes.

HIPAA privacy rules provide important, national standard privacy rules for individual health information; but they also offer an example of how policy can lag behind technology changes. HIPAA was drafted about six years ago and its provisions do not necessarily cover recent technological innovations such as the Internet. For example, HIPAA does not cover health related websites that provide health information only. It also does not cover websites that are not directly associated with a covered entity. Websites that are associated with a covered entity but do not engage in the type of electronic transactions of individually identifiable information covered under HIPAA may also not be regulated under HIPAA. These sites are in contrast to sites that do fall squarely under HIPAA rules, such as on-line pharmacies that electronically bill insurers for reimbursement for prescription drug sales. Still other websites fall into grey areas, for example, a website whose developers provide teleconsultations only for credit card payment but bill electronically for services in other parts of their practice. In grey areas like this, future case law may determine the outcome of what privacy rules do and do not cover.

While the subject of consumer privacy and the Internet is beyond the scope of this paper, it is clear that consumers have become increasingly concerned about their privacy on the Internet, especially in three areas: a) industry v. government website regulation, b) recent findings concerning the Internet and consumer health privacy, and c) health privacy legislation.

Industry Self-Regulation

Industry has attempted to address consumer privacy concerns by developing a number of standards for health-related websites. Organizations that promote industry self-regulatory standards include Health on the Net Foundation (HON) (www.hon.ch) and TRUSTe, (www.TRUSTe.org ) which promote the most widely accepted standards and privacy seals. A new Industry Coalition, the Internet Healthcare Coalition (www.ihealthcoalition.org ), promotes ethical principles such as candor, honesty, quality, and informed consent. The Health Internet Ethics Coalition (www.hiethics.org), another new Industry Coalition, also promotes ethical principles. These principles include a commitment to adopt a privacy policy, enhanced privacy protection for health related personal information, safeguarding consumer privacy in relationships with third parties, and disclosing ownership and sponsorship information.

Recent Findings Concerning Consumer Health Privacy on the Internet

Despite industry’s efforts to self-regulate their privacy policies and activities, a number of recent reports reveal a troubling disconnect between consumer perception of their privacy on the Internet and actual practices on health websites. For example, the California Healthcare Foundation recently released the Report on the Privacy Policies and Practices of Health Websites, (Goldman, Hudson, & Smith, 2000) which describes the practice of privacy protocols on health related websites. The five major findings are:

Consumers are using health websites to better manage their health, but their personal information may not be adequately protected.

Visitors to health websites are not anonymous, even if they think they are.

Health websites recognize consumers' concern about the privacy of their personal health information and have made efforts to establish privacy policies; however, the policies fall short of truly safeguarding consumers.

There is inconsistency between the privacy policies and the actual practices of health websites.

Health websites with privacy policies, that disclaim liability for the actions of third parties on the site, negate those very policies.

Other notable reports that discuss consumer privacy and the Internet include those released by the Federal Trade Commission (FTC) and by Health Affairs (www.healthaffairs.org). According to the FTC’s Privacy Online: Fair Information Practices in the Electronic Marketplace (FTC, 2000), only 20% of the busiest websites comply with FTC Information Privacy Principles and only about 41% of all websites comply with at least two FTC privacy principles that are discussed below.

Recently, Health Affairs published a special issue on E-Health:The Next Wave, which offered a series of publications by E-Health experts.

Consumers are using health websites to better manage their health, but their personal information may not be adequately protected.

One of these publications, entitled Virtually Exposed: Privacy and E-Health, (Goldman & Hudson, 2000) is a study of 21 leading health-related websites that found that the polices and practices of many sites fell short of consumers expectations for privacy. The publication also pointed out news stories, highlighting the lax security for information shared and maintained online. Consumers are using health websites to better manage their health, but their personal information may not be adequately protected.

Health Privacy Legislation

Both the states and Congress have responded to these problems by introducing a large number of bills that attempt to protect the privacy of personal information collected from the Internet. Previously, Congress introduced and passed the Children's Online Privacy Protection Act of 1998. This law requires the FTC to develop regulations, protecting the privacy of personal information collected from and about children on the Internet and to provide greater parental control over the collection and use of that information. A comprehensive list of state and congressional privacy bills introduced in 2001 can be found at the Electronic Privacy Information Center Website at: www.epic.org.

The FDA, Department of Justice and state governments all have roles in online regulation and enforcement; but the FTC has emerged as a key online consumer protection regulator, overseeing privacy protection and deceptive trade practices on commercial websites. Among other things, the FTC has the authority to regulate personal data collected online, based on Section 5 of the Federal Trade Commission Act and the Children’s Online Privacy Protection Act. However, the FTC still lacks authority to require Web companies to adopt standard information practices such as its Privacy Principles. These four widely accepted information privacy principles are outlined below:

Choice: Offer consumers choices as to how their personal identifying information is used

Access: Give consumers reasonable access to the information the website has collected about them

Security: Take reasonable steps to protect the security of the information collected from consumers

While the FTC continues to strongly encourage industry self-regulation, in a departure from the past, the regulator made explicit legislative recommendations to Congress in their 2000 Report that would set a basic level of privacy protection for all visitors to consumer-oriented commercial websites. Specifically, the FTC recommended that websites covered by the Children's Online Privacy Protection Act of 1998 (COPPA) would have to implement all four FTC fair information practice principles outlined above.

Implementation and Evaluation

One of the most difficult issues that DHHS faces going forward is how the health care industry will implement and evaluate HIPAA privacy standards. A private subgroup of the Workgroup for Electronic Data Exchange (WEDI) called the Strategic National Implementation Process (SNIP) is assessing implemenation. Its mission is to "assess industry-wide HIPAA Administrative Simplification implementation readiness and to bring about the national coordination necessary for successful compliance" http://snip.wedi.org. SNIP represents a large health care industry group that will identify industry best practices and provide a forum for discussion and collaboration on issues relating to the implementation of HIPAA. SNIP also offers conferences on HIPAA implementation to industry members.

Recognizing the unique privacy issues facing telemedicine practitioners, OAT and OASPE have jointly funded the Advanced Technology Institute to undertake research, a workshop, and a paper that will identify which privacy issues are unique to telemedicine, evaluate how HIPAA may affect telemedicine practitioners, and identify which security approaches will facilitate effective delivery of telehealth. Completion of the report is scheduled for winter/spring 2002. The hoped for outcome of this work is the development of practical guidelines for sound privacy practice, integrating technical, policy and administrative solutions for telemedicine/ telehealth practitioners.

Conclusion

Well-established principles of privacy and fair information practice have existed for some time. However, there has been no comprehensive federal privacy standard for the protection of patient health information.

HIPAA provides a first step towards a national standard.

HIPAA provides a first step towards a national standard. While HIPAA rules may be complex, many health practitioners and organizations recognize that protecting consumer privacy is just good business practice- a lesson learned by other industries such as the financial services industry.

On the cutting edge of health information privacy, security, and confidentiality issues is the practice of telemedicine. The telehealth industry’s reliance on store and forward electronic transactions and live, interactive video conferencing, as well as, Internet exchanges raises many new practical issues in protecting individual privacy and dignity in providing health care.

The Author

Joanne K. Kumekawa is currently Director of Policy, Office for the Advancement of Telehealth, (OAT), a part of the Department of Health and Human Services’ Health Resources and Services Administration. Previously, Ms. Kumekawa spent ten years in domestic and international telecommunications and six years in consulting. She served most recently as a senior advisor to the Assistant Secretary of Commerce for Telecommunications and Information. She has also served as a Strategic Planner at the International Telecommunications Union, a special agency of the UN in Geneva, Switzerland; and as an FCC Telecommunications Policy Analyst in the Office for Plans and Policy and in the Wireless Bureau (Auctions). She received her BA in Economics from Yale University and an MBA from the Wharton School of Business, University of Pennsylvania.

Ware, W. (1993). Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy, 43, Task Force on Privacy. Washington, D.C.: U.S. Department of Health and Human Services.